search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
263 stars 63 forks source link

Projects only doing codescan but have no whitelist entry throw NPE #14

Closed de-jcup closed 5 years ago

de-jcup commented 5 years ago

Current situation: When a project is defined in SecHub without having a whitelist entry we got a NPE . Sometimes we got projects doing only a code scan, so even a empty list must be valid.

de-jcup commented 5 years ago

Current workaround is to always add a dummy entry - e.g. "http://example.com" as whitelist entry

de-jcup commented 5 years ago

Hmm.. tried out old version (0.10.3) and there tests do not fail but there was an error

After trying out to create a project I found a way to reproduce the problem:

  1. create some testdata

    • start scenario2 integration test.
    • copy the executed command (contains generated api tokens for scenario2_user1)

  2. now create a new project by DeveloperAdmin UI:

    • name "testproject"
    • description "xxx"
    • user: scenario2_user1
    • whitelist: at first dialog just press OK on next dialog do the cancel (exact this way)

  3. assign scenario2_user1 to the project.

  4. execute a normal scan

    • use copied command from 1 and replace "scanAsync" with "scan". Also change project to "testproject" and start

You will receive a 500 error message at client side. On server side a NPE has occurred : 

java.lang.NullPointerException: null
    at com.daimler.sechub.domain.schedule.whitelist.ProjectWhiteListSecHubConfigurationValidationService.fetchAllowedUris(ProjectWhiteListSecHubConfigurationValidationService.java:69) ~[main/:na]
    at 
...
de-jcup commented 5 years ago

There is another problem: When adding something not being valid (e.g. the empty entry in former first white list dialog) we cannot delete the project any longer:

org.h2.jdbc.JdbcSQLException: Referential integrity constraint violation: "C04_ADM_PROJECTWHITELIST_PROJECT_ID: PUBLIC.ADM_PROJECT_WHITELIST_URI FOREIGN KEY(PROJECT_PROJECT_ID) REFERENCES PUBLIC.ADM_PROJECT(PROJECT_ID) ('testproject')"; SQL statement:
delete from adm_project where project_id=? and version=? [23503-197]
    at org.h2.message.DbException.getJdbcSQLException(DbException.java:357) ~[h2-1.4.197.jar:1.4.197]
...
    at com.daimler.sechub.domain.administration.project.ProjectDeleteService.deletProject(ProjectDeleteService.java:42) ~[main/:na]
    at com.daimler.sechub.domain.administration.project.ProjectDeleteService$$FastClassBySpringCGLIB$$b95f38d3.invoke(<generated>) ~[main/:na]
...

Updating the white list by an dummy entry like "https://www.example.com" did solve the problem and admin ui /service was able to delete the project then.

This did also prevent execution of IntegrationTests for the test scenario where used user was created!